Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal

EDB-ID:

39642

CVE:

2016-0784

EDB Verified:

Author:

Andreas Lindh

Type:

webapps

Exploit:   /  

Platform:

Linux

Date:

2016-03-31

Vulnerable App: 
Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0

Description:
The Import/Export System Backups functionality in the OpenMeetings
Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path
traversal via specially crafted file names within ZIP archives. 

By uploading an archive containing a file named ../../../public/hello.txt will write
the file "hello.txt" to the http://domain:5080/openmeetings/public/ directory. This could
be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party
integrated executable) with a shell script, which would be executed the next time an image
file is uploaded and imagemagick is invoked.

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

Apache OpenMeetings Team

-- 
WBR
Maxim aka solomax
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services